The JWT access token validator inspects the JWT token without presenting it to an authorization server for validation. Because the JWT access token validator does not make a token introspection request for every access token that it processes, it performs faster than the PingFederate access token validator. The access token is self-validated however, so the JWT access token validator cannot determine whether the token has been revoked.

Supported JWS/JWE features

For signed tokens, the JWT access token validator supports the following JWT web algorithm (JWA) types:
  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512

For encrypted tokens, the JWT access token validator supports the following key-encryption algorithms:

  • RSA-OAEP
  • ECDH-ES
  • ECDH-ES+A128KW
  • ECDH-ES+A192KW
  • ECDH-ES+A256KW
For encrypted tokens, the JWT access token validator supports the following content-encryption algorithms:
  • A128CBC-HS256
  • A192CBC-HS384
  • A256CBC-HS512

The JWT access token validator configuration defines three allow lists for the JWS/JWE signing and encryption algorithms that it will accept. You should customize these allow lists to reflect only the signing and encryption algorithms used by your access token issuer and no others. Doing so minimizes the access token validator's security threat surface.

Configure these allow lists using the following configuration properties:
  • allowed-signing-algorithm

    Specifies the signing algorithms that the access token validator accepts.

  • allowed-key-encryption-algorithm

    Specifies the key-encryption algorithms that the access token validator accepts.

  • allowed-content-encryption-algorithm

    Specifies the content-encryption algorithms that the access token validator accepts.